[133343] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Chris Boyd)
Wed Dec 8 14:19:40 2010
From: Chris Boyd <cboyd@gizmopartners.com>
In-Reply-To: <DFF540B5-2621-4C98-927A-D129EE677E11@gmail.com>
Date: Wed, 8 Dec 2010 13:19:22 -0600
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 8, 2010, at 9:33 AM, Arturo Servin wrote:
> Yes, but all of them rely on your upstreams or in mirroring your =
content. If 100 Mbps are reaching your input interface of 10Mbps there =
is not much that you can do.
Hmm. What would be really cool is if you could use Snort, NetFlow/NBAR, =
or some other sort of DPI tech to find specifically the IP addresses of =
the DDoS bots, and then pass that information back upstream via BGP =
communities that tell your peer router to drop traffic from those =
addresses. That way the target of the traffic can continue to function =
if the DDoS traffic doesn't closely mimic the normal traffic.
Your BGP peer router would need to have lots of memory for /32 or /64 =
routes though.
Anyone heard of such a beast? Or is this how the stuff from places like =
Arbor Networks do their thing?
--Chris=
